Monthly Archives: August 2012

Spent some namecoins

I bought some more namecoin domain names, in addition to erik.bit and kelsey.bit. They’re so cheap.

So now, if you have a namecoin DNS configuration (which almost everyone doesn’t), you can browse to https://___.bit and you’ll end up at my IP.


NamecoinToBind Setup with Debian

I finally got NamecoinToBind working with bind in Debian. If you don’t know what Namecoin is, check this out (it’s pretty nerdy, so be prepared). I ran into some snags with network configuration, specifically when static-ing the IP of my DNS server. So far, I’ve registered one domain in namecoin, erik.bit. You can see the activity on this record here. If you have a working bind server, you can use NamecoinToBind to periodically create zone files for the .bit TLD. Currently, these zone files can create some issues in bind though, so you have to do the following in your bind configuration:

check-names master ignore;
check-names slave ignore;
check-names response ignore;

This basically allows things like -.bit to work, which is insane:

hank@shelob ~ $ nslookup "\-.bit"
Name:	-.bit
Address: 212.232.51.96

Password security limitations of various websites

After reading , I decided to go through and do a nice password cleansing. After a few years of “good password policies” being trumpeted around, I thought I’d find a majority of website accepting large (> 16-digit) alpha-numeric-symbolic passwords. This was a terrible assumption, and as I’ve been going through and finding these limitations, I’ve been sending complaints to each customer service department. Just a note, the passwords I’m trying are more than 20 characters with symbols, numbers, and uppercase and lowercase letters. Here’s a summary:

Site Notes Result
Amazon Allows the password. Gold Star!
Discover Card Allows the password. Gold Star!
Chase Doesn’t allow symbols.
Ally 16 character maximum!
Fidelity 12 character maximum, no symbols!
Instructables Allows the password. Gold Star!
LinkedIn Allows the password. Gold Star!
Kiva Allows the password. Gold Star!
Yahoo Allows the password. Gold Star!
Mt. Gox Allows the password. Gold Star!
Dwolla Allows the password. Gold Star!
CampBX Allows the password. Gold Star!
Paypal 20 character maximum!
Allstate Passwords must be 6 to 10 characters, certain symbols not allowed (<, >)!
Geico 16 character maximum! Only allows certain special characters!
Github Allows the password. Gold Star!
Site5 Allows the password. Gold Star!
IMDB Allows the password. Gold Star!
Ebay 16 character maximum!
Etrade Strange invalid character error, not a stated limitation. Further investigation shows no special characters are allowed.
Newegg Allows the password. Gold Star!
Netflix 4-10 characters.

The really alarming part is most of the failures I ran into had to do with banking/money. Why do these sites put limits on user password security? It seems like that’s the last place you would want these kinds of limitations. It’s hilarious that sites like IMDB, which I don’t expect strong security from whatsoever, allow me to use more secure passwords than my bank accounts. I especially love this from Etrade – they don’t specify what character was invalid, or that there are any invalid characters that could be entered:

Upon further investigation, I found out they don’t allow special characters.

I also love how Netflix apparently allows a 4-character password! That’s secure, huh!

Got some new vanity bitcoin addresses

I generated these using vanitygen.

1MANaTeEZoH4YkgMYz61E5y4s9BYhAuUjG
1ErikgLXAmxuTk76tdCrRW3iLnX1GS8mFd
1ErikTuZYf9Fpvs4Eqk1SEbCbGXi3eN5Gg

The first two even work in firstbits (1erikg and 1manatee)!
http://firstbits.com/?a=1manatee
http://firstbits.com/?a=1erikg

Update

I also got a litecoin vanity address:

LerikguvK4nTvhk5XUp8ofg2JgLqAGnBV3

I generated it like this:

./vanitygen -o vanity.out -X 48 -ik Lerikg

Bitcoin Brainfungus

So, I’ve been “fungusing,” as my friend Geet would put it, on Bitcoin lately. I got myself into a bit of a pickle lately, and I wanted to document what happened and what I did to resolve it. Basically, I’m trying to create physical bitcoins from exceedingly cheap materials. Currently, my plan is to use plastic pirate gold coins with round hologram tamper evident stickers, and under the stickers jam a QRcode or just a label with the private key. This way, you can peel off the tamper evident sticker to redeem the coin. The materials per unit will run about 10 cents (3.5 cents for the plastic, 6 cents for the sticker, plus a label/printout/whatever). There are other places where you can get physical world bitcoins, but they’re expensive! Casascius has some really nice ones for a bit more than a 2 USD premium at current prices:

https://www.casascius.com/

I’m hoping to make it so these bits of plastic have about zero sentimental value – just pirate coins with numbers thrown on them – but they still seem like money for some reason. I might eventually experiment with metal versions.

I figured out how to generate physical-world-friendly coins using the code found here:

https://github.com/hank/life/blob/master/code/python/bc-coin-gen/gen_coin.py

Basically, it seeds the random number generator with entropy from good old OSX, then proceeds to generate a bunch of private keys. It finds private keys that conform to the mini key format discussed here:

https://en.bitcoin.it/wiki/Private_key

So, I went on a quest to figure out how to extract the public key from this private key. It turns out there’s some interesting elliptic curve math involved, and tools exist to somewhat securely dump out the associated data for a public key. The best one I found was the following:

https://www.bitaddress.org

This allows you to locally (yes, in javascript delivered by SSL) dump all relevant information about a private key. I proceeded to key in the private key to the Wallet Details tab, and I got all the information I needed. Next, I sent 5 bitcents (currently trading for about fifty cents USD) to the compressed address. This is where things got weird. After a bit, I noticed the transaction had propagated here:

http://blockexplorer.com/address/1BtYPYHUvNLSAii2FvHhRiyEyFf6NRSe2S

So, I went to my Mt. Gox account and tried to redeem the private key as a deposit method. It said it was valid, but had no bitcoins associated with it. Uhoh…
Then I tried using the compressed private key. Still no go. I tried everything listed on the bitaddress page, and nothing would let me recover the address.
After a bunch of time, I finally got bitcoind compiled on OSX and properly connecting to bitcoin-qt. I added the address using the following command:

./bitcoind importprivkey L3tUmpNLdfPDMuYDpzNqfwFbCJo6sCkxCahyLibYEm4M9qAHbpZ2
error: {"code":-4,"message":"Error adding key to wallet"}

Oh of course – I forgot to unlock my wallet before doing this. This is how you fix that:

read x && ./bitcoind walletpassphrase "$x" 300 && unset x

This will read your password from STDIN, run it into the bitcoin client and have it store it for 300 seconds, then unset it from the shell. Sure, there are more secure ways to do this, but this is so quick and easy! Finally, I was able to import the private key using the command I showed first (it worked this time, but took a while). It automatically picked up the 5 bitcent balance and added it to my wallet balance (yay!). Here’s a screenshot of the key data I was working with (it’s useless now since I’ve transferred all the BTC out of this account):

As you can see, the private minikey at the bottom is really short (22 characters). I’ll probably be creating an instructable if the whole coin idea works out.

Update

I finally got my QRCode printing down with 30% error correction built in, so I can embed the bitcoin logo front and center on the QRCode itself. Here’s an example:

This contains the private key for a wallet with a single satoshi in it. Here’s the address I used to fill the account:

http://blockexplorer.com/address/19kagGCSbejCpRw6BZuTQixhp1F5QZT8Ps

I was able to print the above QRCode in color, then scan it directly into the Mt. Gox app under Transfer -> Redeem. Here’s the result: